Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set security context of workloads #1325

Merged
merged 5 commits into from
Feb 20, 2024
Merged

Set security context of workloads #1325

merged 5 commits into from
Feb 20, 2024

Conversation

jacobbaungard
Copy link
Contributor

This commit sets the following security context of all workloads
directly handled by the operator:

securityContext:
    privileged: false
    readOnlyRootFilesystem: true

this as required by: RHOBS-1001

@jacobbaungard
Copy link
Contributor Author

/hold (will release once all PRs have been tested e2e)

@jacobbaungard
Copy link
Contributor Author

/retest-required

@jacobbaungard jacobbaungard force-pushed the set-security-context branch 2 times, most recently from e372071 to d61fc09 Compare February 13, 2024 10:36
@jacobbaungard
Copy link
Contributor Author

/retest

@philipgough
Copy link
Contributor

/retest-required

@jacobbaungard
Copy link
Contributor Author

/test test-e2e
/test e2e-kind

@jacobbaungard
Copy link
Contributor Author

/retest

1 similar comment
@jacobbaungard
Copy link
Contributor Author

/retest

@jacobbaungard
Copy link
Contributor Author

/retest

@jacobbaungard jacobbaungard force-pushed the set-security-context branch 2 times, most recently from f2db06b to 6b94e1e Compare February 14, 2024 15:57
@jacobbaungard
Copy link
Contributor Author

/retest

@jacobbaungard
Fix formatting of select yaml files
a236172 
Formatting was borked, making them hard to edit. Ran select ones through
yamlfmt.

Signed-off-by: Jacob Baungard Hansen <[email protected]>
@jacobbaungard
Copy link
Contributor Author

/retest

1 similar comment
@jacobbaungard
Copy link
Contributor Author

/retest

@jacobbaungard
Set security context of workloads
84dda98 
This commit sets the following security context of all workloads
directly handled by the operator:

```
securityContext:
    privileged: false
    readOnlyRootFilesystem: true
```

this as required by: RHOBS-1001

Signed-off-by: Jacob Baungard Hansen <[email protected]>
@jacobbaungard
Set security context in metrics collector
4f6078b 
This commit sets the following security context for the metric collector
pods:

```
securityContext:
    privileged: false
    readOnlyRootFilesystem: true
```

this as required by: RHOBS-1001

Signed-off-by: Jacob Baungard Hansen <[email protected]>
@jacobbaungard
Set securityContext for endpoint-observability
3020f88 
This commit sets the following security context for the
endpoint-observability-operator

```
securityContext:
    privileged: false
    readOnlyRootFilesystem: true
```

this as required by: RHOBS-1001

Signed-off-by: Jacob Baungard Hansen <[email protected]>
@jacobbaungard
Apply with oc for grafana-dev
d31af64 
Otherwise fsGroup in the security context fails.

Signed-off-by: Jacob Baungard Hansen <[email protected]>
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@jacobbaungard
Copy link
Contributor Author

/retest

moadz
moadz approved these changes Feb 19, 2024
View reviewed changes
operators/multiclusterobservability/manifests/base/observatorium/operator.yaml
- observatorium-operator
topologyKey: topology.kubernetes.io/zone
weight: 70
- podAffinityTerm:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason why the yaml is being formatted differently?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There were some formatting inconsistencies before (or at least my eyes struggled with the formatting), so I ran the files I needed to change through yamllint as I found it hard to make changes correctly otherwise.

@openshift-ci openshift-ci bot added the lgtm label Feb 19, 2024
@moadz
Copy link
Contributor

moadz commented Feb 19, 2024

/approve

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Feb 19, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jacobbaungard, moadz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [jacobbaungard,moadz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jacobbaungard
Copy link
Contributor Author

/unhold

@openshift-merge-bot openshift-merge-bot bot merged commit e4130bd into stolostron:main Feb 20, 2024
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moadz moadz moadz approved these changes

Assignees

@moadz moadz

Labels
approved dco-signoff: yes lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jacobbaungard @philipgough @moadz